Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/gnmyt/Nexterm/llms.txt

Use this file to discover all available pages before exploring further.

Nexterm relies on WebSockets for terminal sessions (SSH, VNC, RDP) and real-time state updates. Any reverse proxy you place in front of Nexterm must be configured to forward WebSocket upgrade requests, otherwise connections will fail or disconnect immediately.

Nginx

The Nginx configuration below proxies all traffic to Nexterm and includes the required WebSocket upgrade headers. Replace nexterm.yourdomain.com with your own domain and adjust the upstream address if Nexterm is not running on the same host. 
server {
    listen 80;
    server_name nexterm.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:6989;
        proxy_http_version 1.1;

        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_read_timeout 86400;
    }
}
proxy_read_timeout 86400 sets a 24-hour timeout. This prevents Nginx from closing long-lived WebSocket connections (such as active terminal sessions) during periods of inactivity.
To add SSL, add a redirect block for port 80 and configure the main server block to listen on 443 ssl: 
server {
    listen 80;
    server_name nexterm.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name nexterm.yourdomain.com;

    ssl_certificate     /etc/letsencrypt/live/nexterm.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nexterm.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:6989;
        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_read_timeout 86400;
    }
}

Apache

Apache requires the proxy, proxy_http, proxy_wstunnel, and rewrite modules. Enable them before applying the configuration: 
sudo a2enmod proxy proxy_http proxy_wstunnel rewrite
Then add the following virtual host: 
<VirtualHost *:80>
    ServerName nexterm.yourdomain.com

    ProxyPreserveHost On

    # WebSocket support
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) ws://127.0.0.1:6989/$1 [P,L]

    ProxyPass / http://127.0.0.1:6989/
    ProxyPassReverse / http://127.0.0.1:6989/
    ProxyTimeout 86400
</VirtualHost>
The RewriteRule intercepts WebSocket upgrade requests and forwards them through mod_proxy_wstunnel. Regular HTTP requests fall through to the ProxyPass directives.

Caddy

Caddy handles WebSocket proxying and automatic HTTPS certificate provisioning with no additional configuration. The minimal Caddyfile for Nexterm is: 
nexterm.yourdomain.com {
    reverse_proxy 127.0.0.1:6989
}
Caddy will automatically obtain and renew a Let’s Encrypt certificate for your domain the first time it receives a request.

Traefik (Docker)

Add the following labels to your Nexterm service in docker-compose.yml. Traefik handles WebSocket forwarding automatically. 
services:
  nexterm:
    image: nexterm/aio:latest
    environment:
      ENCRYPTION_KEY: "your-encryption-key"
    restart: always
    volumes:
      - nexterm:/app/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nexterm.rule=Host(`nexterm.yourdomain.com`)"
      - "traefik.http.routers.nexterm.entrypoints=websecure"
      - "traefik.http.routers.nexterm.tls.certresolver=letsencrypt"
      - "traefik.http.services.nexterm.loadbalancer.server.port=6989"

volumes:
  nexterm:
This assumes you already have a Traefik instance running with a websecure entrypoint and a letsencrypt certificate resolver. Adjust the entrypoint and resolver names to match your Traefik configuration.

Cloudflare Tunnel

Cloudflare Tunnel exposes Nexterm to the internet without requiring you to open inbound firewall ports. Traffic flows through Cloudflare’s network, which also provides DDoS protection and optional Zero Trust access policies.

Prerequisites

Cloudflare account

A Cloudflare account with an active domain added to it.

cloudflared installed

The cloudflared daemon installed on the server running Nexterm.

Setup

1

Create a tunnel in the Cloudflare dashboard

Log in to Cloudflare Zero Trust and navigate to NetworksConnectors.
  1. Click Create a tunnel
  2. Select Cloudflared as the connector type
  3. Give the tunnel a name — for example, nexterm
  4. Copy the installation command shown in the dashboard
2

Install and start cloudflared on your server

Paste the installation command from the previous step into a terminal on the server running Nexterm. It installs cloudflared and registers the tunnel as a system service.
# Example — use the actual command from your Cloudflare dashboard
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
Once installed, the tunnel connector will appear as Connected in the dashboard.
3

Add a public hostname

In the tunnel configuration, go to the Public Hostname tab and click Add a public hostname. Fill in the fields as follows:
FieldValue
Subdomainnexterm (or your preferred subdomain)
DomainSelect your Cloudflare domain
TypeHTTP
URLlocalhost:6989
Click Save tunnel.
4

Access Nexterm

Your Nexterm instance is now accessible at https://nexterm.yourdomain.com. Cloudflare handles TLS termination, so no certificate configuration is needed on your server.
Cloudflare Tunnel uses HTTP between cloudflared and Nexterm on your server (localhost:6989). The connection from your browser to Cloudflare is encrypted with TLS managed by Cloudflare. This is the recommended setup — do not set the tunnel type to HTTPS unless you have also configured Nexterm’s built-in SSL.

Build docs developers (and LLMs) love

Get started for freeTalk to us